We had two users fall for a phishing email recently, and of course the result was that he gave his user/pass to a spammer. We caught one of them in time, but the other got out many thousands of spam the other night before being discovered. I am in the process of cleaning this up. Spamcop and others were good about delisting us promptly. Others will within the next day. However, "Senderbase", apparently used in Cisco's Ironport, will let you look up your IP and tell you that your reputation is "poor", but offers no way to get delisted. It refers you to Spamcop, which I imagine they rely on for listings, but not delistings. For now, I'm re--routing per domain to a second server, but I'd appreciate any tips if there are any. Seems a lot of .edu's use senderbase.